When I boot with iomem=relaxed and enable flash writing in my BIOS I get the following result with my Celsius H265 notebook:
flashrom -p internal:laptop=force_I_want_a_brick --read celsius2.rom
flashrom p1.0-74-g2568357 on Linux 4.17.0-rc3+ (x86_64) flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). ======================================================================== WARNING! You seem to be running flashrom on an unsupported laptop. Laptops, notebooks and netbooks are difficult to support and we recommend to use the vendor flashing utility. The embedded controller (EC) in these machines often interacts badly with flashing. See the manpage and https://flashrom.org/Laptops for details.
If flash is shared with the EC, erase is guaranteed to brick your laptop and write may brick your laptop. Read and probe may irritate your EC and cause fan failure, backlight failure and sudden poweroff. You have been warned. ======================================================================== Proceeding anyway because user forced us to. Found chipset "Intel ICH9M-E". Enabling flash write... OK. Found Winbond flash chip "W25X32" (4096 kB, SPI) mapped at physical address 0x00000000ffc00000. Reading flash... done.
However if I execute this twice I get two different images: wget https://www.elstel.org/uploads/celsius.rom wget https://www.elstel.org/uploads/celsius2.rom
Using vbindiff I can see that quite a lot is different between both images. - which would be difficult to achieve if the firmware was changed while I am running my computer. The image may be somehow corrupted as me_cleaner (BIOS offers Intel AMT) can not process the image:
python ../me_cleaner/me_cleaner.py -S -O celsius-no-me.rom celsius.rom Unknown image
See also the dmidecode that I have attached. How can it be that both images are different? Do you think that the images are corrupted? If so what could we do about it?
On Wed, May 9, 2018 at 1:12 PM, Elmar Stellnberger estellnb@elstel.org wrote:
When I boot with iomem=relaxed and enable flash writing in my BIOS I get the following result with my Celsius H265 notebook:
flashrom -p internal:laptop=force_I_want_a_brick --read celsius2.rom
flashrom p1.0-74-g2568357 on Linux 4.17.0-rc3+ (x86_64) flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
WARNING! You seem to be running flashrom on an unsupported laptop. Laptops, notebooks and netbooks are difficult to support and we recommend to use the vendor flashing utility. The embedded controller (EC) in these machines often interacts badly with flashing. See the manpage and https://flashrom.org/Laptops for details.
If flash is shared with the EC, erase is guaranteed to brick your laptop and write may brick your laptop. Read and probe may irritate your EC and cause fan failure, backlight failure and sudden poweroff. You have been warned. ======================================================================== Proceeding anyway because user forced us to. Found chipset "Intel ICH9M-E". Enabling flash write... OK. Found Winbond flash chip "W25X32" (4096 kB, SPI) mapped at physical address 0x00000000ffc00000. Reading flash... done.
However if I execute this twice I get two different images: wget https://www.elstel.org/uploads/celsius.rom wget https://www.elstel.org/uploads/celsius2.rom
Using vbindiff I can see that quite a lot is different between both images. - which would be difficult to achieve if the firmware was changed while I am running my computer. The image may be somehow corrupted as me_cleaner (BIOS offers Intel AMT) can not process the image:
python ../me_cleaner/me_cleaner.py -S -O celsius-no-me.rom celsius.rom Unknown image
See also the dmidecode that I have attached. How can it be that both images are different? Do you think that the images are corrupted? If so what could we do about it?
There is probably an embedded controller (EC) connected to the SPI ROM that is accessing the ROM at the same time as flashrom. See https://flashrom.org/Laptops for details.
If this is the case, then you will need to figure out how to prevent the EC from reading/writing the ROM at the same time as flashrom. This could be as simple as disabling your OS's power management daemon to avoid stimulating it, or it may require sending a command to the EC (likely a sequence of OUTBs) to put it into an update or recovery mode to prevent it from accessing the firmware ROM.
Hello Elmar,
On 09.05.2018 22:12, Elmar Stellnberger wrote:
However if I execute this twice I get two different images: wget https://www.elstel.org/uploads/celsius.rom wget https://www.elstel.org/uploads/celsius2.rom
actually, I don't see a BIOS in there at all. And the firmware descrip- tor (first 4KiB of a SPI flash in Intel systems) says there is no BIOS region (output of ich_descriptor_tool):
=== Region Section === FLREG0 0x00000000 FLREG1 0x00000fff FLREG2 0x03ff0005 FLREG3 0x00020001
--- Details --- Region 0 (Descr. ) 0x00000000 - 0x00000fff Region 1 (BIOS ) is unused. Region 2 (ME ) 0x00005000 - 0x003fffff Region 3 (GbE ) 0x00001000 - 0x00002fff
So it seems *this* SPI flash is only used for chipset configuration and ME firmware.
As David pointed out, your BIOS may share the flash chip with an Embed- ded Controller (its unlikely that flashrom wouldn't see the chip other- wise). And I can't advice you to use further try using flashrom. This situation (EC shared flash) is exactly why we have that "I_want_a_brick" option.
If you want to hunt more clues nevertheless, you can send us the output of `flashrom -p internal:laptop=force_I_want_a_brick -V`. IIRC, it also tells from which bus the BIOS was loaded.
Using vbindiff I can see that quite a lot is different between both images. - which would be difficult to achieve if the firmware was changed while I am running my computer. The image may be somehow corrupted as me_cleaner (BIOS offers Intel AMT) can not process the image:
I think the ME has some logging enabled and simply writes to the flash.
Nico
On 2018-05-11 00:08, Nico Huber wrote:
actually, I don't see a BIOS in there at all. ... If you want to hunt more clues nevertheless, you can send us the output of `flashrom -p internal:laptop=force_I_want_a_brick -V`. IIRC, it also tells from which bus the BIOS was loaded.
I think the ME has some logging enabled and simply writes to the flash.
Nico
On 2018-05-10 23:24, David Hendricks wrote:
If this is the case, then you will need to figure out how to prevent the EC from reading/writing the ROM at the same time as flashrom. This could be as simple as disabling your OS's power management daemon to avoid stimulating it, or ...
Here comes the verbose output of flashrom as attachement. This time the output was taken after shutting down the backlight daemons: systemctl stop systemd-backlight@backlight:acpi_video0.service systemctl stop systemd-backlight@backlight:nv_backlight.service
- and see the newly loaded rom images do not differ any more (though the time between taking both images has been less this time).
wget https://www.elstel.org/uploads/celsius3.rom wget https://www.elstel.org/uploads/celsius4.rom
Is it true that these flash images do not contain a BIOS? If it still contains all ME regions that should be enough for disabling ME? How to do that - I have heard that me_cleaner only works on gen2 and gen3 MEs but that my ME would be gen1?
On Fri, May 11, 2018 at 7:52 AM, Elmar Stellnberger estellnb@elstel.org wrote:
On 2018-05-11 00:08, Nico Huber wrote:
actually, I don't see a BIOS in there at all. ...
If you want to hunt more clues nevertheless, you can send us the output of `flashrom -p internal:laptop=force_I_want_a_brick -V`. IIRC, it also tells from which bus the BIOS was loaded.
I think the ME has some logging enabled and simply writes to the flash.
Nico
On 2018-05-10 23:24, David Hendricks wrote:
If this is the case, then you will need to figure out how to prevent the EC from reading/writing the ROM at the same time as flashrom. This could be as simple as disabling your OS's power management daemon to avoid stimulating it, or ...
Here comes the verbose output of flashrom as attachement. This time the output was taken after shutting down the backlight daemons: systemctl stop systemd-backlight@backlight:acpi_video0.service systemctl stop systemd-backlight@backlight:nv_backlight.service
- and see the newly loaded rom images do not differ any more (though the
time between taking both images has been less this time).
Glad that seems to have worked for reading. However as Nico said we really can't recommend attempting to write using flashrom. At least not unless you can get a full understanding of how this works and how to safely disable the EC for updates, and have a method for recovery (e.g. an external programmer). Anything that interacts with the EC (power, thermal, input events, maybe other things) can wake it up and put your system in a bad (possibly bricked) state.
wget https://www.elstel.org/uploads/celsius3.rom wget https://www.elstel.org/uploads/celsius4.rom
Is it true that these flash images do not contain a BIOS?
It appears true. As Nico said it appears this chip is only for ME firmware and configuration data. There is almost certainly another SPI flash on the motherboard for the BIOS. You may need to (de-)assert some GPIO or send a special command to the EC to select it.
If it still contains all ME regions that should be enough for disabling ME? How to do that - I have heard that me_cleaner only works on gen2 and gen3 MEs but that my ME would be gen1?
I'm not an expert on me_cleaner, but the long story short is that ME is a complicated beast that changes frequently and is very intertwined with how the system works. me_cleaner can remove some (many?) modules but can't disable it completely since ME controls some functions needed to bring-up the CPU. I'm sure they'd appreciate your help demystifying your ME's generation!
Hi attendees of the flashrom list, Hi Nicola Corna,
Today I have tried to write an image to the rom of my Celsius H265 and see it has worked without any problems (see for the attachement).
flashrom -V -p internal:laptpop=force_I_want_a_brick --write celsius3-me_cleaned.rom
https://www.elstel.org/uploads/celsius3-me_cleaned.rom https://www.elstel.org/uploads/celsius3.rom
The image was produced with the dev-branch of me_cleaner by: ./me_cleaner.py -d -O celsius3-me_cleaed.rom celsius3.rom. Flash reading has been successfully tested before.
Regards, Elmar
-
David Hendricks -
Elmar Stellnberger -
Nico Huber